> The length of the phrase is actually in fact tied explicitly to > memory. The longer a string of characters, the more difficult it is to > remember. That's just fact
repeating this doesn't make it true, but it does make the phrase easier to remember. so i think your argument is its own defeat. the gettysburg address is fairly easy for me to remember. but i don't think i'd have such an easy time on a randomly-choosen 285-word phrase. clearly something this long is not necessary. i'm sure you have made-up phrases with non-words you tell our dog. that should be easy to remember, not on the internet, and have the added bonus that you get to smile while typing your password. > When talking about symmetric cryptography, "four score and seven years > ago" would probably be a great key. There is no convenient rainbow > table upon which to do a hash lookup. It's sufficiently expensive to > brute-force. i'm not convinced of this. here's why. i was reading yesterday about a research-project that built a machine that could try 1 billion rsa keys/sec. now consider such a machine in the possession of bad guys. for them it would make sense to harvest nearly every phrase you can find on the internet and try it. the hard part would be crawling the net. - erik
